Assign an existing User-Assigned Managed Identity to VM from another subscription using Azure Policy
Azure provides a comprehensive list of built-in policy definitions (grouped by the category property defined in the metadata) which are owned and maintained by Microsoft (where the azure-policy repository contains the direct representation of these).
Built-in policy definitions usually cover a specific scenario although some flexibility might be provided through parameters that can be configured. However, customers might have specific needs not covered by an available built-in policy definition and a custom policy definition might be needed.
As a rule of thumb, if there is a built-in policy definition that covers part of a scenario, a custom policy definition can be created based on it introducing the necessary modifications.
Let’s take into consideration the [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines built-in policy definition that creates and assigns a built-in user-assigned managed identity or assigns a pre-created user-assigned managed identity at scale to virtual machines. This currently provides the user-assigned managed identity name and resource group name as parameters expecting that it is on the same subscription as the virtual machine resource. However, in a scenario where the pre-created user-assigned managed identity exists in a different subscription from the virtual machine resource, a custom policy definition is required.
Before creating a custom policy, it is worth checking both the Azure Policy Samples as well as the Community Policy Repository to see whether a policy definition that matches your needs already exists. Coming back to the user-assigned managed identity assignment to virtual machines where the pre-created user-assigned managed identity exists in a different subscription from the virtual machine resource scenario, a custom policy definition is available here where the user assigned managed identity resource URI (which contains the subscription ID) is provided as a parameter.
Published on:
Learn moreRelated posts
Announcing Azure DevOps Server General Availability
We’re thrilled to announce that Azure DevOps Server is now generally available (GA)! This release marks the transition from the Release Candid...
Blue-green deployment in Azure Container Apps using Azure Developer CLI
Learn how to implement blue-green deployment in Azure Container Apps using Azure Developer CLI (azd) revision-based deployment strategy. The p...
Zonal resiliency in Azure
Microsoft Purview: Azure AI Foundry integration with Microsoft Purview for AI
Purview enablement in AI Foundry, allows Foundry admins to activate Microsoft Purview on their subscription. Once enabled, AI interaction data...
Long-term data retention up to 10 years: Announcing Private Preview of Azure Backup for Azure Cosmos DB
Azure Backup for Azure Cosmos DB is a new option that lets you securely protect and recover your Azure Cosmos DB data for compliance, audit, a...
Assessing Your Azure Data Factory for Migration to Fabric Data Factory
As organizations modernize their data integration workflows, moving from Azure Data Factory (ADF) to Fabric Data Factory is an important miles...
Video: Copilot Studio – Connect Azure SQL As Knowledge
SQL is where the worlds data is stored. And in this video I’m going to ... The post Video: Copilot Studio – Connect Azure SQL As Knowled...
Azure Backup Threat Detection
One Azure, Many Logins: How Users Access Microsoft’s Cloud Safely
Users can access Microsoft Azure through several flexible and secure methods, depending on their role, device, and workload needs. The most co...